Manual Chapter : Managing Devices

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.2.0
Manual Chapter

About device discovery

The process of device discovery or designating a firewall device for central management by BIG-IQ Security is called discovery.

After discovery, BIG-IQ Security provides a way to view device properties and to perform device-specific and firewall-specific actions through a centralized management platform.

BIG-IQ Security displays devices under management in the Devices panel.

Before discovering BIG-IP devices, you must install specific components required by the BIG-IQ system on each BIG-IP device you want to manage. Installing these components results in a REST framework that supports the required Java-based management services.

Discovering devices

Before discovering one or more BIG-IP devices, ensure the required BIG-IQ components are installed on those devices.

Once a device is under central management, the device configuration is stored in the BIG-IQ Security database, which is the authoritative source for all configuration entities (shared objects). After that point, do not manage the firewall device locally unless there is an exceptional need.

During discovery, Cancel Task appears in the dialog box after the task has identified the device and started importing the firewall configuration. If you click Cancel Task, the import is canceled and management authority over the device is rescinded.

  1. To begin the discovery process, navigate to the Devices panel. At first login, this panel is empty because there are no discovered devices.
  2. Hover in the Devices banner and click the + icon to display the property fields for a new device.
  3. Edit the property fields as required.
    Option Description
    Device Address Enter the internal self IP for the BIG-IP device.
    Cluster Name Enter a name for the cluster. Optional, but highly recommended.
    User Name Enter the user's login name. For example: fw_admin.
    Password Enter the password for this user.
    Snapshot Ensure that this check box is selected (the default) to take a snapshot of the configuration on the BIG-IP device before importing.
    Auto Update Framework Select this check box to update the REST framework installed on the BIG-IP device.

    It is required that certain BIG-IQ system components be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this check box.

  4. Click Add.
After discovery, the BIG-IP device is listed in the Devices panel by its FQDN and internal self IP address. Also, the system lists the snapshot of the working configuration taken during import in the Snapshots panel. The system imports the firewall policy for this device and makes it available for configuration management.

About declaring management authority

The process of bringing a device under central management is known as declaring management authority (DMA). The firewall administrator initiates DMA through device discovery and import.

The DMA process is modal. Once the process starts, you are blocked from performing any other tasks or interacting with BIG-IQ Security in any way until the process is complete or canceled. Before starting a discovery or reimport process, it is important to understand how you will resolve any conflicts that arise.

Note: In this scenario, a conflict is defined as two shared objects having the same name, but containing different data.

About conflict resolution

A conflict is found when two shared objects have the same name but different data. Conflicts prevent the discovery process from running to completion.

Note: It is the responsibility of the Firewall manager to know how to resolve conflicts between shared objects and to deploy the resolution. If you encounter conflicts during discovery, import, or reimport, you must resolve those conflicts before you can interact further with BIG-IQ Security.

In the event of a conflict, BIG-IQ Security displays the Resolve Conflicts dialog box, which lists all conflicts found. The Resolve Conflicts dialog box also includes an option you can use to apply a single action to all conflicts listed.

Although conflict resolution often results in changes to either the BIG-IP configuration or the BIG-IQ configuration, no changes are applied until they are deployed. You can deploy changes when a deployment task displays a status of READY TO DEPLOY.

Conflict resolution options

This table lists and describes the options for resolving conflicts.

Option Description
On BIG-IP (device IP address) Name of the shared object on the BIG-IP device.
On BIG-IQ Name of the shared object on the BIG-IQ Security system.
Type Type of shared object in conflict: address list, port list, rule list, policy, or schedule.
Action Select one of the following:
Keep Both.
Retain both objects as configured. BIG-IQ Security changes the name on the incoming object to resolve the conflict. Then, it updates rules with the new object name. The new object name includes the device name so it can easily be found.
No Action.
This option does not resolve the conflict and prevents the discovery process from completing. If you are not ready to resolve the conflicts but need to perform other firewall management tasks, cancel the discovery process and return to it later.
Use BIG-IP Version.
Keep the object as configured on the BIG-IP device and overwrite the object as configured in the central BIG-IQ Security database.
Use BIG-IQ Version.
Keep the object as configured on BIG-IQ Security and overwrite the object as configured on the BIG-IP device.

Displaying device properties

  1. To display properties for an individual device, hover over the banner for that device (in the Devices panel).
  2. Click the gear icon to display and expand the panel containing device properties.

Device properties

Device properties are displayed for informational purposes and are read-only, except the Snapshot and Auto Update Framework check boxes.

Device Property Description
Host Name Displays the fully-qualified domain name (FQDN), identified at discovery time.
Cluster Name Displays the BIG-IP device cluster name, provided by the user at discovery time.
IP Address Displays the IP address of the BIG-IP device, used for communication between it and the BIG-IQ Security system.
Product Identifies the product.
Version Identifies the version and hotfix level of the device under management.
Snapshot Check box used to invoke a snapshot prior to reimporting the BIG-IP device's working configuration.
Auto Update Framework Check box used to update the REST framework on the BIG-IP device.

About the device inventory

From the Devices panel, you can display an inventory of device properties and accompanying details for all devices under BIG-IQ Security central management. For further use, you can export this inventory to a CSV file.

Reimporting devices

Once configurations are in sync between BIG-IP devices and the BIG-IQ Security system, there is seldom a need to reimport a BIG-IP device.

Some possible reasons to reimport include:

  • Additions, deletions, or changes made to self IPs or virtual servers on the BIG-IP device.
  • Changes to policies, firewall rules, or shared objects made locally on the BIG-IP device.
  • Updates made to the BIG-IP device's software that need to be recognized by BIG-IQ Security.

If any of these reasons occur, you must reimport to reconcile any changes with the configuration maintained on BIG-IQ Security. If you do not reconcile changes, a subsequent deployment process will overwrite any changes made locally.

The reimport process is modal. Once reimport starts, the process blocks you from performing any other tasks or interacting with BIG-IQ Security in any way until the process completes or is canceled.

During reimport, a Cancel Task button appears in the dialog box after the task has identified the device and started importing the firewall configuration. If you click Cancel Task, the import is canceled and management authority over the device is rescinded.

  1. To begin the reimport process, navigate to the Devices panel.
  2. Hover in the banner for the device you want to reimport and when the gear icon appears, click it to display the expanded panel, containing device properties and actions. You cannot change any of the properties displayed on this screen, except the Snapshot check box, which is optional. To ensure that a snapshot is taken prior to import, leave the check box selected.
  3. In the expanded panel, click Reimport.
After reimport, the firewall policy for the selected device is refreshed and synchronized with the configuration stored in BIG-IQ Security.

Monitoring device health and performance

Before you can view device properties and health, you must discover at least one device.
With the BIG-IQ system, you can easily assess the health and performance of your network.
  1. Navigate to the Devices panel.
  2. Hover in the banner of the device you want to monitor and when the gear icon appears, click it to expand the panel.
  3. In the expanded panel, view health data under device properties.

About device configuration sets

Possible configuration sets for a firewall device centrally managed by the BIG-IQ Security system include:

Current configuration set
The configuration of the BIG-IQ device as discovered by BIG-IP Security. The current configuration is updated during a reimport and before calculating differences during the deployment process. After deployment (and after the resolution of any conflicting shared objects), BIG-IQ Security overwrites the BIG-IP current configuration (if the option to USE BIG-IQ is chosen).
Working configuration set
The configuration as maintained by the BIG-IQ Security system. Initially, the working configuration is created when the firewall manager elects to manage the device from BIG-IQ Security (DMA). It is the configuration that is edited on BIG-IQ Security and deployed back to BIG-IP devices.

Device discovery states

The following table displays states that occur during the discovery process.

NEW
SUBTASK_INIT
LOAD_LICENSE
QUERY_LICENSE
IDENTIFY_LICENSE
PENDING_IDENTIFIED_DEVICE
IDENTIFY_DEVICE_COMPLETE
DELAY_REFRESH_COMPLETE
REFRESH_DEVICE_COMPLETE
QUERY_RUNNING_CONFIG
RUNNING_IMPORT_COMPLETE
RUNNING_IMPORT_RULELISTS_COMPLETE
RUNNING_IMPORT_FIREWALLS_COMPLETE
WORKING_IMPORT_COMPLETE
WORKING_IMPORT_RULELISTS_COMPLETE
WORKING_IMPORT_FIREWALLS_COMPLETE
WORKING_IMPORT_COMPLETE
WORKING_IMPORT_RULELISTS_COMPLETE
WORKING_IMPORT_FIREWALLS_COMPLETE
PENDING_CONFLICTS
PENDING_CANCEL
CONFLICT_RESOLUTION_COMPLETE
IMPORT_ADDRESS_LISTS_COMPLETE
IMPORT_PORT_LISTS_COMPLETE
IMPORT_SCHEDULES_LISTS_COMPLETE
UPDATING_RULES_COMPLETE
REFRESH_RULE_LISTS_COMPLETE
IMPORT_RULE_LISTS_COMPLETE
IMPORT_RULES_COMPLETE
UPDATING_FIREWALLS_COMPLETE
IMPORT_FIREWALLS_COMPLETE
COMPLETE
FAILED
FAILED_MAX_EXCEEDED